package org.genntii.smgateway.config;


import jakarta.annotation.Resource;
import org.genntii.smgateway.filter.JwtAuthenticationFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsConfigurationSource;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;

import static org.springframework.security.config.Customizer.withDefaults;

@EnableWebFluxSecurity
@Configuration
public class WebSecurityConfig {

    @Resource
    private JwtAuthenticationFilter jwtAuthenticationFilter;


    @Bean
    public SecurityWebFilterChain filterChain(ServerHttpSecurity http){

        http.cors(withDefaults());

        http.csrf(ServerHttpSecurity.CsrfSpec::disable);

        http.formLogin(ServerHttpSecurity.FormLoginSpec::disable);

        http.logout(ServerHttpSecurity.LogoutSpec::disable);


        http.authorizeExchange(authorize-> authorize.pathMatchers("/test").permitAll()
                .pathMatchers("/login").permitAll()
                .pathMatchers("/sendEmail").permitAll()
                .pathMatchers("/register").permitAll()

                // 开放所有服务权限 测试用
                .pathMatchers("/article/latest").authenticated()
                .pathMatchers("/article/**").permitAll()
                .pathMatchers("/article_favorites/**").permitAll()
                .pathMatchers("/article_tag/**").permitAll()
                .pathMatchers("/article_tag_relational/**").permitAll()
                .pathMatchers("/auth/**").permitAll()
                .pathMatchers("/channel/**").permitAll()
                .pathMatchers("/comment/**").permitAll()
                .pathMatchers("/comment_image/**").permitAll()
                .pathMatchers("/steam_achievement/**").permitAll()
                .pathMatchers("/steam_category/**").permitAll()
                .pathMatchers("/steam_player/**").permitAll()
                .pathMatchers("/steam_store/**").permitAll()
                .pathMatchers("/steam_user_achievement/**").permitAll()
                .pathMatchers("/steam_user_store/**").permitAll()
                .pathMatchers("/user_directory").permitAll()
                .pathMatchers("/user_directory/swagger-config","/user_directory/v3/api-docs").permitAll()
                .pathMatchers("/user/**").permitAll()
                .pathMatchers("/user_subscribe/**").permitAll()
                .pathMatchers("/doc.html","/webjars/**","/v3/**","/swagger-resources/**").permitAll()
                .pathMatchers("/article_like/**").permitAll()
                .pathMatchers("/user_history/**").permitAll()
                .pathMatchers("/steam/**").permitAll()
                .anyExchange().permitAll()
        );

        http.addFilterAt(jwtAuthenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION);

        return http.build();

    }


    @Bean
    public CorsConfigurationSource corsConfigurationSource(){
        CorsConfiguration corsConfig = new CorsConfiguration();
        corsConfig.addAllowedOriginPattern("*"); // 允许任何源
        corsConfig.addAllowedMethod("*"); // 允许任何HTTP方法
        corsConfig.addAllowedHeader("*"); // 允许任何HTTP头
        corsConfig.setAllowCredentials(true); // 允许证书（cookies）
        corsConfig.setMaxAge(3600L); // 预检请求的缓存时间（秒）

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**",corsConfig);
        return source;
    }

}
